SMBs Ignoring Insider Threats

Many smaller organizations do not adequately protect against insider threats, CERT expert warns.

10 Ways To Fight Digital Theft & Fraud

(Click image for larger view and slideshow.)

Small and midsized firms are just as likely to fall victim to insider threats as are big companies and government agencies. Many organizations also do not prosecute or report insider incidents, either due to a lack of evidence or concerns about damage to company reputation, a security specialist concludes.

Insider threats cover a spectrum of activities, ranging from theft of intellectual property to fraud and sabotage, explained Michael C. Theis, the chief counter intelligence expert and lead researcher at Carnegie Mellon University's CERT Insider Threat Center. Because there is no single type of insider threat, firms need to be aware of a variety of danger signs indicating that something may not be right with an employee, Theis said at a recent government-business symposium held by the Armed Forces Communications Electronics Association.

An insider threat, Theis explained, is a current or former employee, contractor, or business partner who uses their legitimate authorization to access critical information and services for malicious purposes. He added that there is also a category of unintentional insider threats: leaks and loss of information by otherwise well-meaning staff and contractors, usually through lax security protocols.

According to the CERT Center's 2014 US State of Cybercrime Survey, 37% of 557 surveyed firms reported some kind of cybercrime issues in 2013. Small firms (those with fewer than 500 employees) made up 43% of the organizations in the survey. Of the reported cybercrime incidents, 32% were caused by insiders. Forty six percent of surveyed firms also found insider threats to be more damaging than outsider attacks. The report noted that 82% of the incidents included the exposure or loss of sensitive or confidential information, 76% reported the theft or compromise of confidential records, 71% reported the theft or compromise of customer data, and 63% reported the theft or exposure of employee records.

The report also found that 75% of insider crimes were often not prosecuted or reported to law enforcement for a variety of reasons. Thirty four percent of firms found that the damage was insufficient to warrant prosecution, 36% cited lack of sufficient evidence or information to prosecute, 37% of firms could not identify responsible individuals, while 12% didn't do anything due to concerns about bad publicity and 8% didn't pursue an investigation because of potential litigation issues.

Every sector of the economy has suffered from insider threats such as theft of intellectual property, sabotage, and fraud, Theis said. Sabotage of company IT systems includes deleting information, bringing down systems, and website defacement. He noted that personnel don't have to be IT professionals to successfully sabotage company networks.

Theft of intellectual property is often conducted by skilled professional staff such as scientists, engineers, and sales force personnel. Stolen intellectual property can be proprietary business information, source code, or industrial espionage. For fraud, insider activities consist of falsified payroll reimbursements, unauthorized acquisitions with company funds, theft and sale of confidential information, and modifying or hiding criminal activity after the fact.

IT sabotage is almost always conducted by former employees, while fraud is usually committed by currently employed staff, and theft of intellectual property usually happens within 30 to 90 days of an individual's resignation, Theis said.

Malicious insiders can be spies inserted into an organization for espionage purposes, or they can be employees recruited in place, Theis said. He added that the majority of insider threats come from disillusioned or otherwise dissatisfied personnel.

It is important for firms to keep track of employee behavior in the office and online to head off issues before they happen, Theis explained. That's because the individuals who cause such incidents are often unhappy with some aspect of their employment and usually discuss this with coworkers or through email and corporate social media. He added that organizations also need to be on the lookout for suspicious activity on corporate networks, such as the removal or copying of documents or unauthorized access to data.

To mitigate insider threats, organizations should include accurately assess the level of trust they place in individual staff, "right-size" staff access and permissions to only those areas they need to do their jobs, and effectively monitor employee activities and behavior at work and online, Theis said.

Nobody wants to be the next data breach headline. But ensuring that cyber-security defenses are operating effectively and efficiently is a monumental challenge given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber-Security Risk Measurements report today (registration required).

Henry Kenyon is a contributing writer to InformationWeek Government. He has covered Government IT and Defense markets since 1999 for a variety of publications including Government Computer News, Federal Computer Week, AFCEA's Signal Magazine and AOL Government. View Full Bio

Sadly what I tend to see happening is that the intangibles are left undone until they cause a bigger problem. Either data is lost, systems crash or someone embarrasses the company by pointing out the gaping hole in their security. Then the issue is addressed. Some IT issues are tough for small business owners to wrap their heads around so they ignore them rather than be confused trying to figure them out. I stopped doing side jobs for small businesses because I got tired of trying to head off problems for these businesses and having them decide not to follow my advice. Then later on I would be cleaning up a mess that could have been avoided. Yes it was a way to guarantee income but the frustration wasn't worth it anymore.

So what is a small company to do when they don't have the resources available to both fix the delivery van and secure the network? There's probably always going to be something with a more immediate priority, until it's too late.

@jagibbons, I think you're dead on. This isn't a new issue, I've been seeing it for a couple decades in small businesses and I see it stem from the same handful of places. First is the cost to fully secure anything. A small business will chose to do things like fix a delivery van over spend the money needed to properly secure their network. Secondly many employees wear multiple hats, I've seen functions in HR, IT and Accounting being performed by the same person, if you want to make it easy for someone to embezzle from you those would be the three roles combined that would make it almost impossible to catch them. Lastly is that small businesses tend to form closer relationships that can be good and bad. A good employee will be very loyal and will break their back trying to move the company forward but when things go bad they take it very personally and are more apt to do something in retribution.

Insider Threats for SMBs doesn't have to be a total unknown. A range of simple practical measures can help any sized organization mitigate the risks - from restricting employees sharing passwords, restricting network access when employees leave, tailored user awareness training and manager's setting the example. How organizations can move from paranoia to protection is covered in our latest blog post here: http://www.isdecisions.com/blog/it-security/insider-threat-program-from-paranoia-to-protetion/

Interesting report. Seems as though even in smaller businesses where one would think the level of trust would be higher doesn't necessarily predicate this notion. Very hard to gain a real sense of trust amongst those you go in business with...

In a smaller business, key employees often wear multiple hats. Any single individual is likely to have more access and more information than in a larger organization where roles are more likely to be segmented and insulated. Additionally, SMBs may have the same level of resources (human or dollar) to throw at security. The worst case is when that network/security lead in IT decides to leave. If that's a difficult separation, it can be very difficult and very expensive to secure the business. Been there, and don't ever want to be there again.